GDPR. Processor-grade discipline, EU to Bangkok.
Othello International processes client documents that contain personal data — names, addresses, financial figures, identifiers — so the General Data Protection Regulation (Regulation (EU) 2016/679) is squarely in frame. Under Article 3, GDPR applies extraterritorially: a Bangkok firm processing the personal data of EU residents is in scope. Othello acts as a data processor on the client-controller’s documented instructions. Thailand holds no EU adequacy decision — so EU → Thailand transfers run on Standard Contractual Clauses plus a Transfer Impact Assessment and supplementary measures, not on a claim of adequacy Othello does not have. Article 28 DPA on request · NDA from first email · audit-trail retained Bangkok-side.
- RoleData processor · on instruction
- ScopeArt 3 · extraterritorial
- EU→TH transferSCCs + TIA · not adequacy
- ContractArt 28 DPA · on request
- Breach72h · notify controller
- DomicileThai PDPA · GDPR-aligned
- ConfidentialityNDA from first email
The posture, substantively. Six points that make EU-facing work lawful.
GDPR compliance for a translation and advisory firm is not a badge — it is a documented operating posture. Othello processes personal data inside client documents, so the questions that matter are: what role does Othello hold, what brings it into scope, how does data lawfully reach Bangkok, and what contract governs it. The six points below document the substantive posture.
Processor, not controller.
Othello acts as a data processor — it processes personal data on the documented instructions of the client, who is the controller. Othello does not determine the purposes of processing; it translates, edits, and advises on documents the client supplies. This role allocation is recorded in the engagement and the DPA, and it dictates the Article 28 obligations Othello accepts.
Extraterritorial. Article 3 reaches Bangkok.
GDPR applies regardless of where the processor sits. Under Article 3, processing the personal data of individuals in the EU brings a non-EU firm into scope. Othello does not treat its Bangkok domicile as an exemption — EU-facing engagements are run to GDPR standard. This is the honest reading: the regulation follows the data subject, not the processor’s postcode.
SCCs + TIA. Not a claim of adequacy.
Thailand has no EU adequacy decision. So EU → Thailand transfers cannot rely on adequacy — they run on the modernised Standard Contractual Clauses (Decision (EU) 2021/914), accompanied by a Transfer Impact Assessment and documented supplementary measures. Othello will not pretend Thailand is “adequate” — it documents the actual lawful mechanism the regulation requires for a non-adequate third country.
Article 28 Data Processing Agreement.
Every EU-facing engagement can run under an Article 28 DPA. The DPA records the subject matter and duration of processing, the nature and purpose, the types of personal data and categories of data subject, and the controller’s instructions — plus Othello’s confidentiality, security, sub-processor, breach-notification, audit, and deletion obligations. The DPA is the instrument; SCCs sit inside it for the transfer.
72-hour notification discipline.
As a processor, Othello’s obligation under Article 33 is to notify the controller without undue delay on becoming aware of a personal-data breach — so the controller can meet its own 72-hour supervisory-authority deadline. Othello maintains an incident-response procedure: detection, containment, assessment, controller notification, and documented remediation, with the event recorded in the audit-trail.
Data-subject rights, facilitated.
Othello assists the controller in honouring data-subject rights — access, rectification, erasure, restriction, portability, and objection (Articles 15–21). As processor, Othello does not field requests directly from data subjects; it supports the controller’s response with prompt retrieval, correction, or deletion of the relevant material from Othello-controlled infrastructure, recorded in the audit-trail.
★ WHY THE HONEST TRANSFER STORY MATTERS · Vendors that claim “GDPR compliant” without naming a transfer mechanism are hiding the hard part. For EU → Thailand, the hard part is the absence of adequacy — which is why SCCs + a Transfer Impact Assessment + supplementary measures are the real answer. Othello documents the mechanism rather than asserting a status it does not hold. See PDPA Compliance for the Thai-domicile counterpart.
Eight data-protection practices. Where the posture becomes operational.
A posture is only as good as the daily handling. The flagship practices are in-house processing and encryption — the two that most often distinguish institutional-grade handling from consumer-tier translation tools that quietly send client content to third-party endpoints.
In-house processing
The flagship practice. Othello does not route substantive client content through consumer LLM endpoints or unscreened third-party tools. Personal data inside documents is processed within Othello-controlled infrastructure by the named bench. No silent data egress to free machine-translation services — the single most common GDPR failure in the translation market.
Encryption in transit & at rest
Personal data is encrypted in transit and at rest — a documented supplementary measure under the SCC transfer regime. Encryption with keys held by Othello is precisely the kind of technical measure a Transfer Impact Assessment calls for when the destination is a non-adequate third country. Secure transfer channels, not email attachments by default.
Least-privilege access control
Access to client documents is restricted to the named bench assigned to the engagement. Least-privilege controls mean a translator or editor sees only the material their role requires. Access is logged. Need-to-know is enforced, not assumed — a measure the TIA documents and the DPA records.
Data minimisation & purpose limitation
Othello processes only the personal data the engagement requires, for only the purpose the controller instructs (Article 5 principles). Where a document can be pseudonymised or redacted without harming the translation, it is. No retention “just in case” — minimisation is the default, not the exception.
Retention & scheduled deletion
Source documents and deliverables are retained only for the agreed period, then securely deleted on schedule (Article 5 storage limitation). The retention window is set in the DPA. On engagement close or controller instruction, Othello deletes or returns the data and confirms deletion in writing, recorded in the audit-trail.
Sub-processor screening & flow-down
Where a sub-processor is engaged, it is screened and bound by back-to-back obligations no weaker than Othello’s own (Article 28(4)). The controller is informed of sub-processors and may object. No undisclosed sub-processing — the same transparency discipline Othello applies to partner-routed language work.
Incident-response procedure
A documented incident-response procedure governs detection, containment, assessment, and controller notification without undue delay (Article 33). The procedure assigns responsibility, sets timelines, and ends in remediation and a recorded post-incident review. The controller is notified in time to meet its own 72-hour deadline.
RoPA & audit-trail
Othello maintains records of processing activities (Article 30) and a consolidated audit-trail per engagement — processing purpose, data categories, transfer mechanism, retention, deletion, and any incidents. Retained Bangkok-side and available to the controller for its own accountability and supervisory-authority obligations.
★ SUPPLEMENTARY MEASURES ARE THE POINT · After Schrems II, SCCs alone are not enough. The exporter must assess the destination and add measures — encryption, access control, minimisation, processing isolation — to bring protection up to EU-equivalent standard. The eight practices above are those supplementary measures, operationalised. See Our Process for the bench workflow they sit inside.
GDPR and PDPA map closely — but they are not the same instrument.
Othello is domiciled in Thailand, so Thailand’s Personal Data Protection Act (PDPA) is its home regime; the GDPR applies to EU-facing engagements. The two are closely aligned — PDPA was modelled on GDPR — but the obligations attach differently. Othello runs one operating discipline that satisfies both, and names which regime governs which engagement.
One handling standard. Two regimes it answers to.
Where the data subject is in the EU/EEA, GDPR governs and the EU → Thailand transfer runs on SCCs + TIA. Where the data subject is in Thailand, PDPA governs directly. Many engagements touch both. Othello’s bench operates a single discipline — in-house processing, encryption, minimisation, retention control, breach response — calibrated to satisfy the stricter of the two on any given point. See PDPA Compliance for the Thai-domicile detail.
★ PLAIN LANGUAGE · Othello is a Thai PDPA-domiciled firm that runs EU-facing work to GDPR standard via SCCs and an Article 28 DPA. It does not claim Thailand is EU-adequate, and it does not treat its Bangkok base as a GDPR exemption. One handling discipline, two regimes, named per engagement.
Six stages. Each with a documented gate. Data is controlled end to end.
How personal data inside a client document is handled from arrival to deletion. The transfer gate is first — before any EU-origin data reaches Bangkok, the SCC + TIA + DPA basis is in place. Nothing is processed on a basis that is not documented. See Our Process for the bench workflow this sits inside.
From intake to confirmed deletion. Bangkok-controlled throughout.
Every engagement carrying personal data progresses through the six stages below. The lawful basis and transfer mechanism are set before intake — DPA executed, SCCs incorporated, TIA on file for EU-origin data. The data is then controlled inside Othello infrastructure to confirmed deletion.
Data protection sits inside the engagement. Not bolted on.
GDPR discipline runs through every service Othello delivers — translation, certified work, ESG advisory. The pages below document the adjacent compliance frame and the services it protects, all under one engagement letter, one NDA, one audit-trail.
PDPA Compliance · Thai domicile
The Thai Personal Data Protection Act counterpart — Othello’s home data-protection regime, modelled on GDPR and directly applicable to Thai-origin data. The other half of the one-discipline-two-regimes posture.
Open PDPA ComplianceTechnical Translation · ISO 17100
ISO 17100 + ISO 9001 technical translation — the service most often carrying personal data inside documents. In-house processing, encryption, and minimisation apply to every engagement. GDPR/PDPA discipline built into the workflow.
Open Technical TranslationData Processing Agreement
Request an Article 28 Data Processing Agreement with SCCs incorporated for EU-facing work — issued under mutual NDA. The contract that records role, scope, transfer mechanism, and Othello’s obligations before any data moves.
Request a DPAData-protection questions answered up front.
Substantive answers to what privacy officers, Big Law procurement, and EU-facing clients routinely ask about how a Bangkok firm handles personal data under GDPR. Click to expand each.
Q.01Does GDPR even apply to a Bangkok-based firm?
Yes, where EU data subjects are involved. Under Article 3, GDPR applies extraterritorially — processing the personal data of individuals in the EU brings a non-EU firm into scope regardless of where it sits. Othello does not treat its Bangkok domicile as an exemption. EU-facing engagements are run to GDPR standard, with the EU → Thailand transfer handled under Standard Contractual Clauses.
Q.02Is Othello a data controller or a data processor?
A data processor. Othello processes personal data inside documents on the documented instructions of the client, who is the controller and determines the purposes. This role allocation is recorded in the engagement and the Article 28 Data Processing Agreement, and it dictates the obligations Othello accepts — confidentiality, security, sub-processor control, breach notification, audit, and deletion.
Q.03Thailand has no EU adequacy decision — so how is the transfer lawful?
Through Standard Contractual Clauses, not adequacy. Thailand is not on the EU’s list of adequate countries, so EU → Thailand transfers run on the modernised SCCs (Decision (EU) 2021/914) incorporated into the DPA, accompanied by a Transfer Impact Assessment and documented supplementary measures (encryption, access control, minimisation). Othello will not claim Thailand is “adequate” — it documents the actual lawful mechanism the regulation requires for a non-adequate third country.
Q.04What is a Transfer Impact Assessment and do you do one?
After the Schrems II ruling, SCCs alone are not enough — the data exporter must assess whether the destination country offers protection essentially equivalent to the GDPR, and add supplementary measures where it falls short. That assessment is the Transfer Impact Assessment. For EU-origin engagements, the TIA documents the measures — encryption with Othello-held keys, least-privilege access, in-house processing, minimisation — and is reassessed at least annually.
Q.05Will you sign a Data Processing Agreement?
Yes. Every EU-facing engagement can run under an Article 28 DPA, available on request and issued under mutual NDA. The DPA records the subject matter, duration, nature and purpose of processing, the types of personal data and categories of data subject, the controller’s instructions, and Othello’s obligations — with the SCCs incorporated for the transfer. The DPA is the instrument; SCCs sit inside it.
Q.06Do you use machine translation or consumer AI tools on our documents?
No — not for substantive client content. Othello does not route personal data inside client documents through consumer LLM endpoints or unscreened third-party machine-translation services. Content is processed within Othello-controlled infrastructure by the named bench. Silent data egress to free translation tools is the single most common GDPR failure in the translation market — and the one Othello is built to avoid.
Q.07How fast do you notify us of a personal-data breach?
As a processor, Othello’s obligation under Article 33 is to notify the controller without undue delay on becoming aware of a breach — so the controller can meet its own 72-hour supervisory-authority deadline. Othello runs a documented incident-response procedure: detection, containment, assessment, controller notification, remediation, and a recorded post-incident review.
Q.08How do you handle data-subject rights requests?
As processor, Othello does not field requests directly from data subjects — it assists the controller in honouring them (Articles 15–21: access, rectification, erasure, restriction, portability, objection). On the controller’s instruction, Othello promptly retrieves, corrects, extracts, or deletes the relevant material from Othello-controlled infrastructure and records the action in the audit-trail.
Q.09How long do you keep our documents, and do you confirm deletion?
Only for the agreed retention window, then secure deletion with written confirmation (Article 5 storage limitation). The window is set in the DPA. On engagement close or controller instruction, Othello deletes or returns the data and confirms in writing, with the lifecycle recorded in the audit-trail. No retention “just in case.”
Q.10How does GDPR relate to PDPA, and to Othello’s wider engagement framework?
PDPA is Othello’s home regime; GDPR applies to EU-facing work. Thailand’s PDPA was modelled on GDPR, so the two map closely — Othello runs one handling discipline (in-house processing, encryption, minimisation, retention control, breach response) calibrated to satisfy the stricter of the two on any point. This sits inside the firm’s founding standard — established 2020 on US government contracts under FAR-grade verification and NDA-from-first-email confidentiality. See PDPA Compliance. Email [email protected] or call +66 02-859-2145.
Personal data, handled lawfully.
Othello runs EU-facing work to GDPR standard via SCCs and an Article 28 DPA — processor role, in-house processing, encryption, minimisation, 72-hour breach discipline, confirmed deletion — and is PDPA-domiciled in Thailand. The transfer basis is documented before any data crosses; the audit-trail is retained Bangkok-side. ≤1 BH acknowledgement · DPA on request under mutual NDA.
Unit 12-03, Chartered Square · 152 N Sathon Rd · Si Lom · Bangkok 10500